Data processing agreement

Standard Contractual Clauses

pursuant to Article 28(3) of Regulation 2016/679 (GDPR) for the purpose of the processing of personal data by the data processor

between

The customer (you)

(as stated in the Main Agreement on access to XpressU, cf. section 1.3 below)

(hereinafter referred to as “the data controller”)

and

XpressU ApS
CVR no.: 39899191
Ordrupvej 112c
2920 Charlottenlund
Denmark

(hereinafter referred to as the “data processor”)

(each of whom is a “party” and together constitute the “parties”)

Have agreed upon the following standard contractual clauses (the Clauses) in order to comply with the General Data Protection Regulation and ensure the protection of privacy and fundamental rights and freedoms of natural persons.

Preamble
Rights and obligations of the data controller
The data processor acts on instructions
Confidentiality
Treatment safety
Use of sub-processors
Transfer to third countries or international organisations
Assistance to the data controller
Notification of a personal data breach
Deletion and return of information
Audit, including inspection
Agreement of the parties on other matters
Entry into force and termination
Contact persons at the data controller and data processor

Appendix A Information about the treatment
Appendix B Sub-processors
Appendix C Instructions regarding the processing of personal data
Appendix D The parties' regulation of other matters

1. Preamble

1. These Regulations set out the rights and obligations of the data processor when processing personal data on behalf of the data controller.
2. These provisions are designed to ensure the Parties' compliance with Article 28(3) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
3. Hosting, conversion and support of user media in connection with the use of XpressU as agreed in the commercial agreement between the Data Processor and the Data Controller (hereinafter the “Main Agreement”), the Data Processor processes personal data on behalf of the Data Controller in accordance with these Terms.
4. The provisions take precedence over any similar provisions in other agreements between the parties.
5. There are four annexes to these Regulations, and the annexes form an integral part of the Regulations.
6. Annex A contains further information on the processing of personal data, including the purpose and nature of the processing, the type of personal data, the categories of data subjects and the duration of the processing.
7. Annex B contains the data controller's conditions for the data processor's use of sub-processors and a list of sub-processors that the data controller has approved for use.
8. Annex C contains the data controller's instructions regarding the data processor's processing of personal data, a description of the security measures that the data processor must implement as a minimum, and how the data processor and any sub-processors are supervised.
9. Annex D contains provisions regarding other activities not covered by the Regulations.
10. The provisions and associated annexes must be kept in writing, including electronically, by both parties.
11. These Provisions do not release the data processor from obligations imposed on the data processor under the General Data Protection Regulation or any other legislation.

2. Rights and obligations of the data controller

1. The data controller is responsible for ensuring that the processing of personal data is carried out in accordance with the General Data Protection Regulation (see Article 24 of the Regulation), data protection provisions in other EU law or the Member States' national law and these Regulations.
2. The data controller has the right and obligation to make decisions about the purpose(s) for which and the means by which personal data may be processed.
3. The data controller is responsible for, among other things, ensuring that there is a processing basis for the processing of personal data that the data processor is instructed to carry out.

3. The data processor acts on instructions

1. The processor shall only process personal data on documented instructions from the controller, unless required by Union law or the national law of the Member States to which the processor is subject. Such instructions shall be specified in Annexes A and C. Subsequent instructions may also be given by the controller while personal data are being processed, but such instructions shall always be documented and kept in writing, including electronically, together with these Terms.
2. The processor shall immediately inform the controller if, in its opinion, an instruction infringes this Regulation or data protection provisions of other Union law or the national law of the Member States.

4. Confidentiality

1. The data processor may only grant access to personal data processed on behalf of the data controller to persons who are subject to the data processor's instruction powers, who have undertaken confidentiality or are subject to an appropriate statutory duty of confidentiality, and only to the extent necessary. The list of persons who have been granted access shall be reviewed on an ongoing basis. Based on this review, access to personal data may be closed if access is no longer necessary, and the personal data shall then no longer be accessible to these persons.
2. The data processor must, upon request from the data controller, be able to demonstrate that the persons concerned, who are subject to the data processor's powers of instruction, are subject to the above-mentioned confidentiality obligation.

5. Processing safety

Article 32 of the GDPR states that the controller and the processor shall, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing operations, as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, implement appropriate technical and organisational measures to ensure a level of protection appropriate to those risks. The controller shall assess the risks to the rights and freedoms of natural persons represented by the processing and implement measures to address those risks. Depending on their relevance, this may include:
A: Pseudonymization and encryption of personal data
B: ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services C: ability to restore the availability of and access to personal data in a timely manner in the event of a physical or technical incident
D: a procedure for regularly testing, assessing and evaluating the effectiveness of the technical and organisational measures to ensure the security of processing.
According to Article 32 of the Regulation, the processor must also assess, independently of the controller, the risks to the rights of natural persons represented by the processing and implement measures to address those risks. For the purpose of this assessment, the controller must provide the processor with the necessary information to enable it to identify and assess such risks.
In addition, the processor must assist the controller in complying with the controller's obligation under Article 32 of the Regulation, including by providing the controller with the necessary information regarding the technical and organizational security measures that the processor has already implemented pursuant to Article 32 of the Regulation and any other information necessary for the controller to comply with its obligation under Article 32 of the Regulation.
If addressing the identified risks – in the opinion of the data controller – requires the implementation of additional measures than those already implemented by the data processor, the data controller must specify the additional measures to be implemented in Annex C.

6. Use of sub-processors

1. The data processor must meet the conditions set out in Article 28(2) and (4) of the GDPR to make use of another data processor (a sub-processor).
2. The data processor may not use a sub-processor to comply with these Provisions without prior general approval from the data controller.
3. The processor has the general approval of the controller for the use of sub-processors. The processor shall notify the controller in writing of any planned changes regarding the addition or replacement of sub-processors with at least 14 days' notice, thereby giving the controller the opportunity to object to such changes before the use of the sub-processor(s) in question. Longer notice periods for notification in connection with specific processing activities may be specified in Annex B. The list of sub-processors that the controller has already approved is set out in Annex B.
4. Where the data processor uses a sub-processor to carry out specific processing activities on behalf of the data controller, the data processor shall, by means of a contract or other legal instrument in accordance with Union law or the national law of the Member States, impose on the sub-processor the same data protection obligations as those set out in these Regulations, in particular providing the necessary guarantees that the sub-processor will implement the technical and organisational measures in such a way that the processing will comply with the requirements of these Regulations and the General Data Protection Regulation. The data processor is therefore responsible for requiring that the sub-processor at least comply with the data processor's obligations under these Terms and the General Data Protection Regulation.
5. Sub-processor agreement(s) and any subsequent amendments thereto shall be sent – upon request by the data controller – in copy to the data controller, who shall thereby be able to ensure that corresponding data protection obligations resulting from these Provisions are imposed on the sub-processor. Provisions on commercial terms that do not affect the data protection content of the sub-processor agreement shall not be sent to the data controller.
6. The data processor must include the data controller as a third party beneficiary in the event of the data processor's bankruptcy in its agreement with the sub-processor, so that the data controller can succeed to the data processor's rights and enforce them against sub-processors, which, for example, enables the data controller to instruct the sub-processor to delete or return the personal data.
7. If the sub-processor fails to comply with its data protection obligations, the processor shall remain fully liable to the controller for the performance of the sub-processor's obligations. This shall not affect the rights of data subjects under the General Data Protection Regulation, in particular Articles 79 and 82 of the Regulation, against the controller and the processor, including the sub-processor.

7. Transfer to third countries or international organisations

1. Any transfer of personal data to third countries or international organizations may only be carried out by the data processor on the basis of documented instructions from the data controller and must always be in accordance with Chapter V of the General Data Protection Regulation.
2. Where the transfer of personal data to third countries or international organisations, which the processor has not been instructed to do by the controller, is required by Union law or the national law of the Member States to which the processor is subject, the processor shall inform the controller of this legal requirement prior to processing, unless that law prohibits such notification on grounds of important public interest.
3. Without documented instructions from the data controller, the data processor cannot, within the framework of these Provisions:
  A: transfer personal data to a controller or processor in a third country or an international organisation B: entrust the processing of personal data to a sub-processor in a third country
  C: process the personal data in a third country
4. The data controller's instructions regarding the transfer of personal data to a third country, including the possible transfer basis in Chapter V of the General Data Protection Regulation on which the transfer is based, must be stated in Annex C.6.
5. These Terms should not be confused with standard contractual clauses as referred to in Article 46(2)(c) and (d) of the GDPR, and these Terms cannot constitute a basis for the transfer of personal data as referred to in Chapter V of the GDPR.

8. Assistance to the data controller

1. The data processor shall, taking into account the nature of the processing, assist the data controller, as far as possible, by means of appropriate technical and organizational measures, in fulfilling the data controller's obligation to respond to requests for the exercise of the data subjects' rights as set out in Chapter III of the General Data Protection Regulation. This means that the data processor shall, as far as possible, assist the data controller in ensuring compliance with:
  A : the obligation to provide information when collecting personal data from the data subject
  B : the obligation to provide information if personal data has not been collected from the data subject
  C: the right of access
  D : right to rectification
  E : the right to erasure (“the right to be forgotten”)
  F : right to restriction of processing
  G : the obligation to notify in connection with the rectification or erasure of personal data or restriction of processing
  H : the right to data portability
  I : the right to object
  J : the right not to be subject to a decision based solely on automated processing, including profiling
2. In addition to the processor's obligation to assist the controller pursuant to Clause 5.3., the processor shall also, taking into account the nature of the processing and the information available to the processor, assist the controller with:
  A : the data controller's obligation to notify the personal data breach to the competent supervisory authority, the Danish Data Protection Authority, without undue delay and, if possible, no later than 72 hours after having become aware of it, unless the personal data breach is unlikely to result in a risk to the rights or freedoms of natural persons.
  B : the obligation of the data controller to notify the data subject of a personal data breach without undue delay when the breach is likely to result in a high risk to the rights and freedoms of natural persons
  C : the obligation of the data controller to carry out, prior to processing, an analysis of the implications of the intended processing activities for the protection of personal data (an impact assessment)
  D : the obligation of the data controller to consult the competent supervisory authority, the Danish Data Protection Authority, prior to processing if a data protection impact assessment shows that the processing will result in a high risk in the absence of measures taken by the data controller to mitigate the risk.
3. The parties shall specify in Annex C the necessary technical and organisational measures with which the data processor shall assist the data controller and to what extent and extent. This applies to the obligations arising from Clauses 8.1 and 8.2.

9. Notification of a personal data breach

1. The data processor shall notify the data controller without undue delay after becoming aware of a personal data breach.
2. The data processor's notification to the data controller must, if possible, take place no later than 48 hours after the latter has become aware of the breach, so that the data controller can comply with its obligation to report the personal data breach to the competent supervisory authority, cf. Article 33 of the General Data Protection Regulation.
3. In accordance with Clause 8.2.a, the processor shall assist the controller in notifying the breach to the competent supervisory authority. This means that the processor shall assist in providing the following information, which, according to Article 33(3), must be included in the controller's notification of the breach to the competent supervisory authority:
  A : the nature of the personal data breach, including, if possible, the categories and approximate number of data subjects affected and the categories and approximate number of personal data records affected;
  B : the likely consequences of the personal data breach
  C : the measures that the controller has taken or proposes to take to address the personal data breach, including, where applicable, measures to limit its possible adverse effects.
4. The parties shall specify in Annex C the information that the data processor shall provide in connection with its assistance to the data controller in its obligation to report personal data breaches to the competent supervisory authority.

10. Deletion and return of information

1. Upon termination of the services relating to the processing of personal data, the data processor is obliged to delete all personal data that have been processed on behalf of the data controller and confirm to the data controller that the data has been deleted, unless EU law or the national law of the Member States requires the retention of the personal data.

11. Audit, including inspection

1. The data processor shall make all information necessary to demonstrate compliance with Article 28 of the GDPR and these Provisions available to the data controller and shall allow for and contribute to audits, including inspections, carried out by the data controller or another auditor authorised by the data controller.
2. The procedures for the controller's audits, including inspections, with the processor and sub-processors are set out in Annexes C.7 and C.8.
3. The data processor is obliged to grant supervisory authorities who, under applicable law, have access to the facilities of the data controller or the data processor, or representatives acting on behalf of the supervisory authority, access to the data processor's physical facilities upon proper identification.

12. Agreement of the parties on other matters

1. The parties may agree on other provisions regarding the service regarding the processing of personal data, for example on liability, as long as these other provisions do not directly or indirectly conflict with the Provisions or impair the fundamental rights and freedoms of the data subject as set out in the General Data Protection Regulation.

13. Entry into force and termination

1. The provisions enter into force on the date of entry into force of the Main Agreement.
2. Both parties may demand that the Provisions be renegotiated if changes in the law or inadequacies in the Provisions give rise to this.
3. The Terms are valid for the duration of the personal data processing service. During this period, the Terms cannot be terminated unless other terms governing the provision of the personal data processing service are agreed between the parties.
4. If the provision of the services relating to the processing of personal data ceases and the personal data is deleted or returned to the controller in accordance with Clause 10.1 and Annex C.4, the Terms may be terminated by written notice by either party.

14. Contact persons at the data controller and data processor

1. The parties can contact each other via the contact persons below.
2. The parties are obliged to keep each other informed of any changes regarding contact persons.

Contact person Data controller

The Data Controller's contact person and contact information are the same as stated in the Main Agreement.

Contact person Data processor

The data processor's contact person and contact information are the same as stated in the Main Agreement.
Enquiries can always be made to support@xpressu.dk

Appendix A Information about the treatment

A.1. The purpose of the data processor's processing of personal data on behalf of the data controller

The purpose of the processing is to be able to make the media and communication platform XPressU available to the customer and the customer's users, including being able to communicate to users regarding system updates, news and contact with the customer regarding support, etc.

A.2. The processing of personal data by the data processor on behalf of the data controller primarily concerns (the nature of the processing)

The data processor provides a system to the data controller that enables the storage, sharing and composition of presentations, including video, image material and PowerPoint presentations. The system enables users to create, edit, update and share content with both internal and external users. The solution is used, among other things, for e-learning and related educational activities.

The processing of personal data primarily includes general information such as name, email address and contact information of the users of the system. Statistics on usage are also kept.

The data processor only processes personal data in accordance with the instructions of the data controller and ensures that the necessary technical and organizational measures are implemented to protect the processed data in accordance with applicable data protection legislation.

A.3. The processing includes the following types of personal data about the data subjects:

General information about the customer's employees is processed, including name, email, and contact information.

A.4. The processing includes the following categories of data subjects:

The Customer's employees and the Customer's members.

A.5. The processing of personal data by the Data Processor on behalf of the Data Controller may commence after these Terms and Conditions come into force. The processing has the following duration:

The processing is not limited in time, which is why the data processor processes personal data on behalf of the data controller for the entire duration of the agreement.

Appendix B Sub-processors

B.1. Authorized sub-processors

NAME	CVR	ADDRESS	DESCRIPTION OF TREATMENT
Visma e-conomic A/S	29403473	Gærtorvet 3, 1799 Copenhagen V	Invoicing
Intercom R&D Unlimited Company	IE VAT IE3273393EH	Saint Stephen's Green 124, , Dublin	Support and communication with end users
Microsoft Azure	VAT number DK20812842	Microsoft Ireland Operations Ltd, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, 018 P521, Irland	Storage and servicing of encrypted data for XpresUMicrosoft GDPR
CloudConvert	Sales Tax Act (VAT Act): DE316913979	Lunaweb GmbH Northern Munich Street 47 DE-82031 Grünwald GermanyCommercial register: Munich Local CourtRegister entry: HRB 238086	Media conversion

Upon entry into force of the Regulations, the data controller has approved the use of the above-mentioned sub-processors for the described processing activity. The data processor may not – without the written approval of the data controller – use a sub-processor for a processing activity other than the described and agreed upon or use another sub-processor for this processing activity.

B.2. Notification for approval of sub-processors

Please refer to Section 6.3 of the Regulations.

Appendix C Instructions regarding the processing of personal data

C.1. Subject matter/instructions of the processing

The data processor's processing of personal data on behalf of the data controller occurs by the data processor performing the following:

The data processor makes XpressU available to the data controller and, as part of the data controller's use of XpressU, processes personal data on behalf of the data controller.

C.2. Processing security

The security level must reflect:

The processing includes a small amount of personal data, i.e. primarily name and contact information for the purpose of administering support tasks. None of this information is covered by GDPR art. 9 or otherwise particularly confidential. Statistics for the use of XpressU are also stored.

The data processor is then entitled and obliged to make decisions about which technical and organizational security measures must be implemented to establish the necessary (and agreed) level of security.

However, the data processor must – in all circumstances and as a minimum – implement the following measures, which have been agreed with the data controller:

Data is not pseudonymized, but is sent encrypted between backend and frontend, and up-to-date security measures have been implemented around the platform.

A number of technical and organizational security measures have been implemented. The system uses encryption both in transmission and storage of data to protect against unauthorized access. Access controls have been established to ensure that only authorized users have access to the relevant material and that their actions can be traced. Regular security updates and system maintenance are carried out to ensure that the system is resilient to security threats. User information, including name, email and statistical usage patterns, is stored in a secure system with appropriate access restrictions. Backup and recovery procedures have also been implemented to ensure the availability and integrity of data in the event of system failures or unforeseen events. The system is designed to withstand potential attacks and can quickly recover from crashes, ensuring continuous operation.

Routine backup of data has been established, including support on the server.
We have ongoing updates and reviews of server optimization.
There is no access to personal information without two-factor login to XpressU Admin or Intercom software.
Data is encrypted.
Data is stored in Microsoft Azure database relationships, with the recommended settings.
Microsoft and Intercom data centers, which are secured according to their security procedures.
XpressU's employees have no personal data on their computers, apart from access to Email, Microsoft Azure and Intercom.
There is a standard weblog on the Azure server and we track usage behavior ourselves.

C.3 Assistance to the data controller

The data processor shall, to the extent possible and within the scope and extent set out below, assist the data controller in accordance with Clauses 8.1 and 8.2 by implementing the following technical and organisational measures:

XpressU provides assistance to a reasonable extent. In the event of assistance beyond the usual and relatively limited scope, we reserve the right to charge for time spent in accordance with XpressU's usual hourly rates.

XpressU shall notify the Data Controller of any detected data breach and shall thereafter provide reasonable assistance. In the event of assistance beyond the usual and relatively limited scope, XpressU reserves the right to charge for time spent in accordance with XpressU's usual hourly rates. XpressU shall never contact the supervisory authority without prior agreement with the Data Controller. The Data Processor shall notify the Data Controller of any security breach within 48 hours.

C.4 Retention period/deletion routine

Information associated with the individual user is automatically deleted 30 days after termination of subscription.

C.5 Location of treatment

The processing of personal data covered by the Provisions takes place at the locations listed below at the time of conclusion of the agreement. Changes to this may only take place without the consent of the Data Controller if such transfers do not entail an increased data protection risk, i.e. if a transfer takes place within the same country or, for example, within the EU/EEA, this will generally be possible without prior consent from the Data Controller, whereas a transfer from, for example, the USA to another third country will not be possible without such prior consent:

Name	Location for treatment	Processing activity
Visma e-conomic A/S	Gærtorvet 3, 1799 Copenhagen V	Invoicing
Intercom	San Francisco 55 2nd Street, 4th Floor, San Francisco, CA 94105	Support and communication with end users
Microsoft Azure	Evert van de Beekstraat 354, 1118 CZ Schiphol Airport, North Holland, Netherlands.	Software development and data processing
CloudConvert	Lunaweb GmbH Northern Munich Street 47 DE-82031 Grünwald GermanyCommercial register: Munich Local CourtRegister entry: HRB 238086	Media conversion

C.6 Instructions regarding the transfer of personal data to third countries

The data processor is instructed to transfer personal data to the following country(ies) outside the EU/EEA/international organization(s): USA/Intercom.

The processing and transfer in these cases is carried out in accordance with the EU-US Data Privacy Framework, and Intercom has implemented EU Standard Contractual Clauses (SCCs) for the company's other subsidiaries in order to ensure broad compliance with data protection law.

If the data controller does not provide documented instructions in these Terms or subsequently regarding the transfer of personal data to a third country, the data processor is not entitled to carry out such transfers within the framework of these Terms.

C.7 Procedures for the controller's audits, including inspections, of the processing of personal data entrusted to the processor

The data controller or a representative of the data controller shall conduct an inspection by sending a questionnaire to the data processor, which the data processor shall answer in order to determine the data processor's compliance with the General Data Protection Regulation, data protection provisions in other EU law or the national law of the Member States and these Regulations.

C.8 Procedures for audits, including inspections, of the processing of personal data entrusted to sub-processors

The data processor or a representative of the data processor shall conduct an inspection by either sending a questionnaire to the sub-processor, which the sub-processor shall answer, in order to determine the sub-processor's compliance with the General Data Protection Regulation, data protection provisions in other EU law or the national law of the Member States and these Provisions.

The data controller may, upon request, obtain insight into the results of the data processor's inspections of sub-processors, including relevant conclusions and any material matters identified, to the extent necessary to assess compliance with data protection rules in the supply chain.

We refer to subcontractors' data processing declarations:

Microsoft Privacy Statement

How Intercom complies with GDPR

Data processing agreement Visma e-conomic A/S

Cloud Convert Pravacy Policy

When supervising subcontractors, XpressU uses the Danish Data Protection Agency's guidance.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies are used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.